SafeMode - Analysis: registrosaqui.com

Visual Capture

Detection Info

https://registrosaqui.com/

Detected Brand

CMR Puntos

Country

International

Confidence

100%

HTTP Status

N/A

Report ID

66d466e6-26d…

Analyzed

2026-01-30 06:55

Content Hashes (HTML Similarity)

Used to detect similar phishing pages based on HTML content

Algorithm	Hash Value
CONTENT TLSH	T1514153318545C93B5693A6A49321DF2AB1D3C613CB0318A5B2F993ED9BD7D85CDD028C
CONTENT ssdeep	48:sHhHcpnifS6uM6hRx1fRYwiMucL+CDQyS:CaiS6uM6hIk+1

Visual Hashes (Screenshot Similarity)

Used to detect visually similar phishing pages based on screenshots

Algorithm	Hash Value
VISUAL pHash	e6dc997174c43199
VISUAL aHash	ffffe7c3c3c3e7e7
VISUAL dHash	8c140c4d0e0e4c0c
VISUAL wHash	42c7c3c3c3c3e3c3
VISUAL colorHash	07600006000
VISUAL cropResistant	8c140c4d0e0e4c0c,100c32b2b2320c10,0929696577b4da5a

Code Analysis

Risk Score 81/100

Threat Level ALTO

⚠️ Phishing Confirmed

🎣 Credential Harvester 🎣 OTP Stealer

🔬 Threat Analysis Report

• Threat: Credential harvesting phishing kit targeting CMR Puntos users.
• Target: Users of the CMR Puntos rewards program.
• Method: Fake login form designed to steal RUT (Chilean tax ID) and internet banking password.
• Exfil: Data exfiltration likely through JavaScript form submission, possibly leading to a custom API based on obfuscation.
• Indicators: Very recent domain registration, obfuscated JavaScript, and a domain name unrelated to the brand.
• Risk: HIGH - Immediate credential theft and potential account compromise.

🔒 Obfuscation Detected

fromCharCode
base64_strings

📡 API Calls Detected

https://api.ipify.org?format=json
/submit.php
POST

📊 Risk Score Breakdown

Total Risk Score

100/100

Contributing Factors

Active Phishing Kit

Detected Credential Harvester and OTP Stealer kits with real-time form interception for RUT and Clave Internet fields.

High Obfuscation

19 obfuscation techniques detected, indicating deliberate evasion of detection and analysis.

Brand Impersonation

Targeting CMR Puntos, a recognized financial loyalty program, increasing likelihood of successful credential theft.

Form Fields

3 forms detected, including sensitive fields (RUT, Clave Internet) commonly used for account takeover.

🔬 Comprehensive Threat Analysis

Threat Type

Two-Factor Authentication Stealer

Target

CMR Puntos users (International)

Attack Method

Brand impersonation + credential harvesting forms + obfuscated JavaScript

Exfiltration Channel

Form submission (backend endpoint not detected - likely JavaScript-based)

Risk Assessment

CRITICAL - Automated credential harvesting with Form submission (backend endpoint not detected - likely JavaScript-based)

⚠️ Indicators of Compromise

Kit types: Credential Harvester, OTP Stealer
19 obfuscation techniques

🏢 Brand Impersonation Analysis

Impersonated Brand

CMR Puntos

Official Website

https://www.cmrpuntos.cl/

Fake Service

CMR Puntos account access and loyalty points management

⚔️ Attack Methodology

Primary Method: Credential Harvesting

The phishing kit captures RUT (Chilean national ID) and Clave Internet (internet Banking password) via form submission. Data is likely exfiltrated in real-time to an attacker-controlled server for immediate account takeover.

Secondary Method: OTP Stealer

The OTP Stealer kit component intercepts one-time passwords (OTPs) sent via SMS or authentication apps, enabling bypass of two-factor authentication (2FA) for CMR Puntos accounts.

🌐 Infrastructure Indicators of Compromise

Domain Information

Domain

registrosaqui.com

Registered

2026-01-18 22:44:09+00:00

Registrar

Tecnocratica Centro de Datos, S.L.

Status

Recently registered (8 days old)

🦠 Malicious Files

Main File

File Size

JavaScript file with potential credential harvesting or OTP interception functionality.

📊 Attack Flow Diagram

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake CMR Puntos offer                │
│    - Link to fraudulent login page                       │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOAD                                  │
│    - Mimics legitimate CMR Puntos site                   │
│    - Displays credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘

🔬 JavaScript Deep Analysis

Total Code Size

68.7 KB

🔗 API Endpoints Detected

Other

5

🔐 Obfuscation Detected

: Light

🤖 AI-Extracted Threat Intelligence

📊 Attack Flow

┌──────────────────────────────────────────────────────────┐
│ 1. VICTIM RECEIVES PHISHING LURE                          │
│    - Email/SMS with fake CMR Puntos offer                │
│    - Link to fraudulent login page                       │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 2. FAKE LOGIN PAGE LOAD                                  │
│    - Mimics legitimate CMR Puntos site                   │
│    - Displays credential input form                      │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 3. CREDENTIAL SUBMISSION                                 │
│    - Victim enters Banking credentials                   │
│    - Form captures input data                            │
└────────────────────┬─────────────────────────────────────┘
                     │
                     ▼
┌──────────────────────────────────────────────────────────┐
│ 4. DATA EXFILTRATION                                     │
│    - Credentials sent via HTTP POST                      │
│    - Standard form submission to attacker server         │
└──────────────────────────────────────────────────────────┘